Can log in with either local(shadow) or ldap password

[RB]

It's unclear what you're asking, but I'll make a stab at answering anyway.

On Thu, Feb 5, 2009 at 14:38, Orion Poplawski <orion at cora.nwra.com> wrote:
> On our laptops we have local users defined in /etc/shadow for offline use.

It's more a security question than a usability one, but why aren't you
using nscd for such offline use instead of granting "dual" accounts?

>  We also authenticate against and LDAP server.  Interestingly, when on the network a
> user can log in with either the local or ldap password.  I would have expected
> only the local password to work.

This doesn't make sense, perhaps you meant "off the network" or "only
the LDAP password to work"?  Your local passwords work anywhere
because pam_unix is 'sufficient' on your stack before pam_ldap.
Reverse that (and the *_first_pass args) if you want network
authentication to be tried first.

> system-auth:
>
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_ldap.so use_first_pass
> auth        required      pam_deny.so

It'll probably be more efficient (and readable) to use "pam_min_uid"
in /etc/ldap.conf than to use the pam_succeed_if trick.

Your prior question (about using SSHA hashes) now seems to indicate
you're wanting to keep the local & network passwords in-sync.  The
best way would be to use cached credentials (via nscd) and forget
about doing local users.  Failing that, you could stack pam_ldap.so
above pam_unix.so in the password module thus:

password    required    pam_ldap.so
password    required    pam_unix.so use_authtok

That (use_authtok) will keep the passwords in-sync, but you won't be
able to perform offline password changes.  Changing pam_ldap to
'sufficient' would allow offline changes, but they'd be out-of-sync
until you performed a successful online change.